KCM: Make the secrets ccache back end configurable, make secrets the default

Adds a new option 'ccache_storage' that allows to select either the memory back end or the secrets back end. The secrets back end is the default one and this option is even undocumented. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2017-03-14 11:17:05 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-03-27 09:58:55 +0200
commit: 35c9dfe9ba78d3a635cd1af0fb6349ba44344623 (patch)
tree: b860966c9bbf8bc018bd4f61307ef2b72d17d89d
parent: cac0db2f8004ae88b9263dc3888a11a2d3d3d114 (diff)
download: sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.tar.gz
sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.tar.xz
sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.zip
7 files changed, 56 insertions, 11 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c443e869a..fb60675ca 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -234,6 +234,7 @@
 /* KCM Service */
 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
 #define CONFDB_KCM_SOCKET "socket_path"
+#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
 
 struct confdb_ctx;
 struct config_file_ctx;
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5e789c516..67a5d1f5a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -280,6 +280,7 @@ option = fd_limit
 option = client_idle_timeout
 option = description
 option = socket_path
+option = ccache_storage
 
 [rule/allowed_domain_options]
 validator = ini_allowed_options
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
index 2c12ef215..063c27b91 100644
--- a/src/responder/kcm/kcm.c
+++ b/src/responder/kcm/kcm.c
@@ -47,6 +47,37 @@ static int kcm_responder_ctx_destructor(void *ptr)
     return 0;
 }
 
+static errno_t kcm_get_ccdb_be(struct kcm_ctx *kctx)
+{
+    errno_t ret;
+    char *str_db;
+
+    ret = confdb_get_string(kctx->rctx->cdb,
+                            kctx->rctx,
+                            kctx->rctx->confdb_service_path,
+                            CONFDB_KCM_DB,
+                            "secrets",
+                            &str_db);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Cannot get the KCM database type [%d]: %s\n",
+               ret, strerror(ret));
+        return ret;
+    }
+
+    DEBUG(SSSDBG_CONF_SETTINGS, "KCM database type: %s\n", str_db);
+    if (strcasecmp(str_db, "memory") == 0) {
+        kctx->cc_be = CCDB_BE_MEMORY;
+        return EOK;
+    } else if (strcasecmp(str_db, "secrets") == 0) {
+        kctx->cc_be = CCDB_BE_SECRETS;
+        return EOK;
+    }
+
+    DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected KCM database type %s\n", str_db);
+    return EOK;
+}
+
 static int kcm_get_config(struct kcm_ctx *kctx)
 {
     int ret;
@@ -88,14 +119,21 @@ static int kcm_get_config(struct kcm_ctx *kctx)
                             &sock_name);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
-              "Cannot get the client idle timeout [%d]: %s\n",
+              "Cannot get KCM socket path [%d]: %s\n",
                ret, strerror(ret));
         goto done;
     }
     kctx->rctx->sock_name = sock_name;
 
-    ret = EOK;
+    ret = kcm_get_ccdb_be(kctx);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Cannot get KCM ccache DB [%d]: %s\n",
+               ret, strerror(ret));
+        goto done;
+    }
 
+    ret = EOK;
 done:
     return ret;
 }
@@ -111,7 +149,8 @@ static int kcm_data_destructor(void *ptr)
 }
 
 static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
-                                           struct tevent_context *ev)
+                                           struct tevent_context *ev,
+                                           enum kcm_ccdb_be cc_be)
 {
     struct kcm_resp_ctx *kcm_data;
     krb5_error_code kret;
@@ -122,7 +161,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
         return NULL;
     }
 
-    kcm_data->db = kcm_ccdb_init(kcm_data, ev, CCDB_BE_MEMORY);
+    kcm_data->db = kcm_ccdb_init(kcm_data, ev, cc_be);
     if (kcm_data->db == NULL) {
         talloc_free(kcm_data);
         return NULL;
@@ -176,7 +215,7 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
-    kctx->kcm_data = kcm_data_setup(kctx, ev);
+    kctx->kcm_data = kcm_data_setup(kctx, ev, kctx->cc_be);
     if (kctx->kcm_data == NULL) {
         DEBUG(SSSDBG_FATAL_FAILURE,
               "fatal error initializing responder data\n");
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index 2ae120269..a22184e0f 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -244,7 +244,7 @@ struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx,
         break;
     case CCDB_BE_SECRETS:
         DEBUG(SSSDBG_FUNC_DATA, "KCM back end: sssd-secrets\n");
-        /* Not implemented yet */
+        ccdb->ops = &ccdb_sec_ops;
         break;
     default:
         DEBUG(SSSDBG_CRIT_FAILURE, "Unknown ccache database\n");
diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h
index 18c8c47ad..36c481c53 100644
--- a/src/responder/kcm/kcmsrv_ccache.h
+++ b/src/responder/kcm/kcmsrv_ccache.h
@@ -29,6 +29,7 @@
 #include "util/util.h"
 #include "util/sss_iobuf.h"
 #include "util/util_creds.h"
+#include "responder/kcm/kcmsrv_pvt.h"
 
 #define UUID_BYTES    16
 #define UUID_STR_SIZE 37
@@ -113,11 +114,6 @@ errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc,
 struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc);
 struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd);
 
-enum kcm_ccdb_be {
-    CCDB_BE_MEMORY,
-    CCDB_BE_SECRETS,
-};
-
 /* An opaque database that contains all the ccaches */
 struct kcm_ccdb;
 
diff --git a/src/responder/kcm/kcmsrv_ccache_be.h b/src/responder/kcm/kcmsrv_ccache_be.h
index 1bd2b6981..a0796c298 100644
--- a/src/responder/kcm/kcmsrv_ccache_be.h
+++ b/src/responder/kcm/kcmsrv_ccache_be.h
@@ -200,5 +200,6 @@ struct kcm_ccdb_ops {
 };
 
 extern const struct kcm_ccdb_ops ccdb_mem_ops;
+extern const struct kcm_ccdb_ops ccdb_sec_ops;
 
 #endif /* _KCMSRV_CCACHE_BE_ */
diff --git a/src/responder/kcm/kcmsrv_pvt.h b/src/responder/kcm/kcmsrv_pvt.h
index a29680246..74f30c000 100644
--- a/src/responder/kcm/kcmsrv_pvt.h
+++ b/src/responder/kcm/kcmsrv_pvt.h
@@ -49,6 +49,12 @@ struct kcm_resp_ctx {
     struct kcm_ccdb *db;
 };
 
+/* Supported ccache back ends */
+enum kcm_ccdb_be {
+    CCDB_BE_MEMORY,
+    CCDB_BE_SECRETS,
+};
+
 /*
  * responder context that contains both the responder data,
  * like the ccaches and the sssd-specific stuff like the
@@ -58,6 +64,7 @@ struct kcm_ctx {
     struct resp_ctx *rctx;
     int fd_limit;
     char *socket_path;
+    enum kcm_ccdb_be cc_be;
 
     struct kcm_resp_ctx *kcm_data;
 };
author	Jakub Hrozek <jhrozek@redhat.com>	2017-03-14 11:17:05 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-03-27 09:58:55 +0200
commit	35c9dfe9ba78d3a635cd1af0fb6349ba44344623 (patch)
tree	b860966c9bbf8bc018bd4f61307ef2b72d17d89d
parent	cac0db2f8004ae88b9263dc3888a11a2d3d3d114 (diff)
download	sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.tar.gz sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.tar.xz sssd-35c9dfe9ba78d3a635cd1af0fb6349ba44344623.zip